Jump to content
  • 0
Sign in to follow this  
Followers 0

Question

Posted

Hi,

We have a need to change the network password requirements from 8 to 10 character minimum.

 

Whilst we can just change the GPO and users will have to change their password, my concern is for service accounts.

 

Is it possible to search AD (possibly with Powershell?) in order to interrogate all user accounts in a given OU and provide a list of all accounts with a password 9 characters or shorter?

 

We have an encrypted password storage system but it is so awful it is not searchable to give us this information.

 

Alternatively, does password requirements only come into effect when a password is expired/has to be changed? If an account is set to have the password never expire would that not be affected by the change in requirements?

 

thanks

Share this post


Link to post
Share on other sites

4 answers to this question

  • 0

Posted

So do you not know what your service accounts are?  Why not just change to be in line with your new policy before you enforce the policy?

 

If you change the policy to say 10, and an accounts password was set before at 8 - nothing will happen until the password needs to be changed.  It would then need to meet policy - if it never expires it could stay 8 until doomsday.

 

There is no way to search that sort of attribute on the passwords without knowing what they are.  You could search if expired, when set sort of thing - but the length, unless you break them know you would not be able to know what length they are.

Share this post


Link to post
Share on other sites
  • 0

Posted

Could have sworn there was a setting in AD to force a password reset on next login, so set the policy to the group or OU and then essentially expire the passwords

 

I don't work in AD much, but I know the tool we use to check accounts has that option on an individual basis, there should be a global setting you can set, I hope 

Share this post


Link to post
Share on other sites
  • 0

Posted

Could have sworn there was a setting in AD to force a password reset on next login, so set the policy to the group or OU and then essentially expire the passwords

 

I don't work in AD much, but I know the tool we use to check accounts has that option on an individual basis, there should be a global setting you can set, I hope 

 

perhaps admodify could assist with that.

http://admodify.codeplex.com/releases/view/6065

Share this post


Link to post
Share on other sites
  • 0

Posted

"force a password reset on next login"

 

That would be horrific thing to do for service accounts ;)  Could break all kinds of stuff that way.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.